Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.

Download this free guide

Download: Buyer's Guide to Windows Server 2016 in 2017

You may be due for an upgrade! Check out our full Windows Server 2016 Buyer's Guide to see if a switch to the new server would be the best move for your organization.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Use L2TP/IPSec VPNs

Where dial-up access is required, require the use of VPNs and do not allow plain dial-up connections. VPNs are a better choice for security. Two VPN types can be configured. Where possible, use L2TP/IPSec. PPTP is considered to be a less secure VPN protocol than L2TP/IPSec; however, it can provide secure communications if correctly configured. In general, though, L2TP/IPSec is simply a better choice. Important differences in these technologies are listed in Table 11-3.

When VPN access is configured during setup, both PPTP and L2TP/IPSec ports are configured on the RRAS server. No configuration is possible directly on the ports. Settings on clients determine which protocol is used; however, if you can restrict VPN access to one or the other, you may delete the other type of communication port.

NOTE The L2TP/IPSec standard as originally written is incompatible with NAT because IPSecencrypted packets including a checksum calculated over the IPSec source address. Since NAT modifies the source address, packets are considered to be corrupt or modified and dropped when received. NAT-Traversal, or NAT-T, uses UDP to encapsulate the IPSec packet, and therefore the packet can pass through the NAT server without a modification that will cause problems for IPSec. The NAT server must implement NAT-T. The Windows Server 2003 implementation of Internet Key Exchange (IKE), a component of IPSec, can detect NAT-T and use UDP-ESP encapsulation.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy